aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

alert/eve: use addr info struct for source/target (jsonbuilder prep)

Browse Source 
Update the source/target logging to use the cached address info
instead of fetching it from the constructed json_t object.

This is required for migration to JsonBuilder which does not
have the ability to retrieve already set fields.
pull/5012/head
Jason Ish 6 years ago committed by Victor Julien
parent 5ab673aee2
commit 5e1b44ac71
6 changed files with 27 additions and 18 deletions
Show Stats Download Patch File Download Diff File

27
src/output-json-alert.c
Unescape Escape View File

@ -214,7 +214,7 @@ static void AlertJsonDns(const Flow *f, const uint64_t tx_id, json_t *js)
}
static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
json_t *js, json_t* ajs)
json_t* ajs, JsonAddrInfo *addr)
{
json_t *sjs = json_object();
if (sjs == NULL) {
@ -228,8 +228,8 @@ static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
}
if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
json_object_set(sjs, "ip", json_object_get(js, "src_ip"));
json_object_set(tjs, "ip", json_object_get(js, "dest_ip"));
json_object_set(sjs, "ip", json_string(addr->src_ip));
json_object_set(tjs, "ip", json_string(addr->dst_ip));
switch (p->proto) {
case IPPROTO_ICMP:
case IPPROTO_ICMPV6:
@ -237,13 +237,13 @@ static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set(sjs, "port", json_object_get(js, "src_port"));
json_object_set(tjs, "port", json_object_get(js, "dest_port"));
json_object_set(sjs, "port", json_integer(addr->sp));
json_object_set(tjs, "port", json_integer(addr->dp));
break;
}
} else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
json_object_set(sjs, "ip", json_object_get(js, "dest_ip"));
json_object_set(tjs, "ip", json_object_get(js, "src_ip"));
json_object_set(sjs, "ip", json_string(addr->dst_ip));
json_object_set(tjs, "ip", json_string(addr->src_ip));
switch (p->proto) {
case IPPROTO_ICMP:
case IPPROTO_ICMPV6:
@ -251,8 +251,8 @@ static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set(sjs, "port", json_object_get(js, "dest_port"));
json_object_set(tjs, "port", json_object_get(js, "src_port"));
json_object_set(sjs, "port", json_integer(addr->dp));
json_object_set(tjs, "port", json_integer(addr->sp));
break;
}
}
@ -293,7 +293,7 @@ static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx, const PacketA
void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, json_t *js,
uint16_t flags)
uint16_t flags, JsonAddrInfo *addr)
{
AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
const char *action = "allowed";
@ -334,8 +334,8 @@ void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, json_t *
if (p->tenant_id > 0)
json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
if (pa->s->flags & SIG_FLAG_HAS_TARGET) {
AlertJsonSourceTarget(p, pa, js, ajs);
if (addr && pa->s->flags & SIG_FLAG_HAS_TARGET) {
AlertJsonSourceTarget(p, pa, ajs, addr);
}
if ((json_output_ctx != NULL) && (flags & LOG_JSON_RULE_METADATA)) {
@ -452,7 +452,8 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
MemBufferReset(aft->json_buffer);
/* alert */
AlertJsonHeader(json_output_ctx, p, pa, js, json_output_ctx->flags);
AlertJsonHeader(json_output_ctx, p, pa, js, json_output_ctx->flags,
&addr);
if (IS_TUNNEL_PKT(p)) {
AlertJsonTunnel(p, js);

2
src/output-json-alert.h
Unescape Escape View File

@ -29,7 +29,7 @@
void JsonAlertLogRegister(void);
void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, json_t *js,
uint16_t flags);
uint16_t flags, JsonAddrInfo *addr);
#endif /* __OUTPUT_JSON_ALERT_H__ */

9
src/output-json-drop.c
Unescape Escape View File

@ -87,7 +87,10 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
{
JsonDropOutputCtx *drop_ctx = aft->drop_ctx;
json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "drop", NULL);
JsonAddrInfo addr = json_addr_info_zero;
JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "drop", &addr);
if (unlikely(js == NULL))
return TM_ECODE_OK;
@ -160,14 +163,14 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
if ((pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) ||
((pa->action & ACTION_DROP) && EngineModeIsIPS()))
{
AlertJsonHeader(NULL, p, pa, js, 0);
AlertJsonHeader(NULL, p, pa, js, 0, &addr);
logged = 1;
}
}
if (logged == 0) {
if (p->alerts.drop.action != 0) {
const PacketAlert *pa = &p->alerts.drop;
AlertJsonHeader(NULL, p, pa, js, 0);
AlertJsonHeader(NULL, p, pa, js, 0, &addr);
}
}
}

4
src/output-json.c
Unescape Escape View File

@ -82,6 +82,8 @@ static const char *TRAFFIC_LABEL_PREFIX = "traffic/label/";
static size_t traffic_id_prefix_len = 0;
static size_t traffic_label_prefix_len = 0;
const JsonAddrInfo json_addr_info_zero;
void OutputJsonRegister (void)
{
OutputRegisterModule(MODULE_NAME, "eve-log", OutputJsonInitCtx);
@ -881,7 +883,7 @@ json_t *CreateJSONHeader(const Packet *p, enum OutputJsonLogDirection dir,
}
/* 5-tuple */
JsonAddrInfo addr_info = {0};
JsonAddrInfo addr_info = json_addr_info_zero;
if (addr == NULL) {
JsonAddrInfoInit(p, dir, &addr_info);
addr = &addr_info;

2
src/output-json.h
Unescape Escape View File

@ -52,6 +52,8 @@ typedef struct JsonAddrInfo_ {
char proto[JSON_PROTO_LEN];
} JsonAddrInfo;
extern const JsonAddrInfo json_addr_info_zero;
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir,
JsonAddrInfo *addr);

1
src/output.c
Unescape Escape View File

@ -44,6 +44,7 @@
#include "alert-debuglog.h"
#include "alert-prelude.h"
#include "alert-syslog.h"
#include "output-json.h"
#include "output-json-alert.h"
#include "output-json-anomaly.h"
#include "output-json-flow.h"

Write Preview
Loading…
Cancel
Save